Pursuing Koobface and ‘Partnerka’

November 12, 2010

In any given week, I read at least a dozen reports and studies, but I seldom write about them because their conclusions either are obvious or appear slanted toward generating demand for specific products and services. Occasionally, though, a report will come along that is so full of useful data — and resonates so loudly with some of my own investigations — that it forces me to reassess my immediate research and reporting priorities.

One report released today that falls squarely into the latter category is Nart Villeneuve‘s superbly researched and detailed analysis (PDF) of “Koobface,” a huge network of hacked computers that are compromised mostly by social engineering scams spread among users of Facebook.com (Koobface is an anagram of “Facebook”). As the report describes, the Koobface infrastructure is a crime machine fed by cyber criminal gangs tied to a variety of moneymaking schemes involving Web browser search hijacking and the installation of rogue anti-virus software.

This report traces the trail of Koobface activity back through payments made to top criminal partners — known as Partnerka (PDF) — a mix of private and semi-public affiliate groups that form to facilitate coordinated malware propagation.

From the report:

“The Koobface operators maintain a server known as the mothership [which] acts as an intermediary between the pay-per-click and rogue security software affiliates and the compromised victims. This server receives intercepted search queries from victims’ computers and relays this information to Koobface’s pay-per-click affiliates. The affiliates then provide advertisements that are sent to the user. When a user attempts to click on the search results, they are sent to one of the provided advertisement links instead of the intended location. In addition, Koobface will receive and display URLs to rogue security software landing pages or will directly push rogue security software binaries to compromised computers. As a result, Koobface operators were able to generate over two million dollars in a one-year period.”

The report lists the nicknames of top Koobface affiliates, showing the earnings for each over the past year and the Web addresses of their associated affiliate programs. This is the kind of intelligence that — if shared broadly — has the potential to massively disrupt large scale criminal operations, because cybercrime researchers can use it to make sense of seemingly disparate pieces of information about criminal actors and groups. Nevertheless, it is rare to see this kind of raw data published, at least while those implicated remain at large.

Part 3 of the report, titled “The Takedown,” indicates that operations to shutter the Koobface infrastructure may already be underway. Earlier this year, McAfee published an analysis I wrote about takedowns that classified them into two groups: “Shuns” — which seek to shame the peers of a malicious network into severing its connections — and “stuns,” which refer to efforts to disconnect the physical and network control infrastructure used by a botnet. According to the report’s authors, a stun against Koobface is in the works.

“Prior to the publication of this report, notifications were delivered to the owners of the infrastructure that Koobface is abusing,” Villeneuve writes. “They include: fraudulent and stolen Facebook and Google accounts, stolen FTP credentials, and dedicated command and control servers. We are working to synchronize notification to the operators of these elements in order to have an impact on the operations of the Koobface botnet.”

Almost certainly more to come soon. Stay tuned.

Gelezyaka.biz, one of the rogue anti-virus affiliate programs tied to Koobface

Charting the Carnage from eBanking Fraud II

November 12, 2010

Several readers have asked to be notified if the U.S. map showing recent victims of high-dollar online banking thefts was updated. Below is a (non-interactive) screen shot of the updated, interactive map that lives here. Click the red markers to see more detail about the victim at that location, including a link to a story about the attack.


All-in-One Skimmers

November 10, 2010

ATM skimmers come in all shapes and sizes, and most include several components — such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay.  The problem from the thief’s perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs.

Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.

The model displayed here is designed to work on specific Diebold ATMs, and can hold a battery charge for two to four days, depending on ambient temperature and the number of customers who pull money out of the hacked ATM.

Functionally, it is quite similar to the all-in-one model pictured in the very first skimmer post in this ATM skimmer series, although its design indicates it may be identical to the one pictured here, which was found on a Wachovia ATM just a couple of miles from my home earlier this year.

The tiny pinhole camera in the image above is angled so that it points at the PIN pad below and to the left, recording the victim’s 4-digit personal identification number to a flash-based memory card.

Continue reading

Microsoft Plugs Office Holes, But No IE Fix Yet

November 9, 2010

Microsoft Corp. today issued three bundles of updates fixing at least 11 security vulnerabilities in its software, mainly flaws in Microsoft Office products. But the company did not release an update today to remedy  a critical flaw built into in all versions of the Internet Explorer Web browser that is now being exploited by at least one common, automated hacker toolkit.

Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today’s patches earned a “critical” rating, Microsoft’s most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.

“One of the most dangerous aspects of this vulnerability is that a user doesn’t have to open a malicious email to be infected,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “All that is required is for the content of the email to appear in Outlook’s Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected.”

Microsoft did not issue an update to fix a zero-day flaw in Internet Explorer that bad guys are exploiting to break into Windows computers. Last week, the software giant warned that crooks were exploiting the flaw in targeted attacks, and that it had no intention of issuing a fix for the security hole outside of its normal monthly patching process (the second Tuesday of each month — today — is Patch Tuesday).

Since that advisory, the IE exploit has been bundled into the Eleonore Exploit pack, a powerful and widely-used commercial crimeware kit that makes it trivial for attackers to turn legitimate Web sites into platforms for installing malware when visitors browse the sites with vulnerable PCs.

If you have Office Installed, take a moment to visit Microsoft Update to patch things up. If you use IE, either upgrade to IE8 — which provides additional protections against this zero-day attack — or consider implementing the Fix-It tool that Microsoft has released to help mitigate the threat from the vulnerability.

A summary of today’s bulletins is available here.

Update, 7:03 p.m. ET: Added information at the end of this post on the Microsoft FixIt Tool.

Body Armor for Bad Web Sites

November 9, 2010

Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called “bulletproof hosting” providers, mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.

Until recently, you more or less had gain access to and lurk on the right underground forums to be able to rent services from bulletproof hosting providers. These days, it’s becoming easier to find these badware havens advertising out in the open. Last week, I traced the activities of one particular service frequented by criminals back to a bulletproof provider whose slogan says it all: “You’ll Never Get Any Abuse From Us!

Of course, just how insulated this particular provider’s services are and how much illicit activity you can get away with while using them depends largely on how much you’re willing to shell out each month. For example, an entry level “default bulletproof server” allows customers to host things like rogue online pharmacies, replica, gambling, and MP3 sites for $270 per month. But this service level bars customers from hosting nastier content, such as malware, spyware, adware, exploits, viruses, and phishing sites.

Upgrade to the “Super BulletProof Virtual Dedicated Servers in China” — and pay almost $500 a month — and the only activities that are prohibited are sending spam and hosting any type of porn.

The provider pictured here also upsells potential customers by offering a variety of handy add-on services. For extra coin each month, one can rent a bulletproof server with a license for XRumer, a black hat search engine manipulation tool that automates the registration of new Web forum accounts and the spamming of links on those forums, all in a bid to boost the search engine rankings of the spamvertized site. If you operate a blog and have had to deal with what appear to be automated, link-filled comments, chances are good that XRumer was involved in some way.

For a $20 one-time setup fee, your server will come pre-packaged with links for forums that XRumer is able to spam, including thousands of Web pages in top-level domains that are often given more ranking weight by search engines, such as .edu, .gov and .mil.


Have you seen:

Earn a Diploma from Scam U…Since the dawn of the Internet, tutorials showing would-be scammers how to fleece others have been available online. But for novices who can’t be bothered to scour the Net for these far flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or or via intensive, one-on-one online apprenticeships.


Authorities Nab More ZeuS-Related Money Mules

November 8, 2010

Authorities in the United States and Moldova apprehended at least eight individuals alleged to have helped launder cash for an international cyber crime gang that stole more than $70 million from small to mid-sized organizations in recent months.

In Wisconsin, police arrested two young men who were wanted as part of a crackdown in late September on money mules who were in the United States on J1 student visas. The men, both 21 years old, are thought to have helped transfer money overseas that was stolen from U.S. organizations with the help of malicious software planted by attackers in Eastern Europe.

Codreanu and Adam

Dorin Codreanu and Lilian Adam, both originally from Moldova, are being transferred to New York, where they were charged on Sept. 30 in connection with the international money laundering scheme (hat tip to Sophos).

In related news, the government of Moldova’s Specialized Services Center for Combating Economic Crimes and Corruption (CCECC) announced late last month that it had detained six individuals suspected of helping the same international ZeuS gang launder money.

All six of those detained were bank employees, and one worked at the Bank of Moldova. According to Moldovan authorities, the suspects allegedly specialized in intercepting Western Union and MoneyGram payments that mules had sent to Eastern Europe after receiving bank transfers from organizations victimized by the ZeuS Trojan.

Altogether, Moldovan prosecutors are looking at 12 suspects, including a government official who is alleged to have provided the group with copies of ID cards needed to open bank accounts. That nation’s anti-corruption center said it has conducted over 30 searches at detainees’ houses, and seized at least $300,000, a gun, and two luxury cars.

Eleven of the 37 money mules charged in September in connection with these attacks are still at large. Photos of the suspects are available at this alert posted by the FBI.

Keeping an Eye on the SpyEye Trojan

November 8, 2010

Last month, I published evidence suggesting that future development of the ZeuS banking Trojan was being merged with that of the up-and-coming SpyEye Trojan. Since then, a flood of new research has been published about SpyEye, including a new Web site that helps track the location of SpyEye control networks worldwide.

Roman Hüssy, the curator of Zeustracker — a site that has spotlighted ZeuS activity around the globe since early 2009 — late last week launched SpyEye Tracker, a sister service designed to help Internet service providers keep tabs on miscreants using SpyEye (take care with the IP address links listed at this service, because they can lead to live, malicious files).

Hüssy said he’s not convinced that the SpyEye crimeware kit will usurp the mighty ZeuS. “Why should they give up something which works and pay for a new tool?” he said in an online chat with KrebsOnSecurity.com. Instead, Hüssy said he’s launching the new tracking service to help prevent that shift.

Continue reading

Flash Update Plugs 18 Security Holes

November 5, 2010

Adobe on Thursday released an update to its Flash Player software that fixes at least 18 security vulnerabilities, including one that is being exploited in targeted attacks.

The Flash update brings the latest version to v To find out if your computer has Flash installed (it almost certainly does) and what version it may be running, go here. The new version is available from this link, but be aware that if you accept all of the default settings, the update may include additional software, such as a toolbar or anti-virus scanner.

If you’d like to avoid Adobe’s obnoxious Download Manager and all these extras, grab the update from this link instead. Updates are available for Windows, Macintosh, Linux, and Solaris versions of Flash.

If you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox or Google Chrome (you may find that Google has already updated their browser with this fix). Also, while it’s not strictly necessary, Adobe recommends that users uninstall the previous version of Flash before updating to the latest copy of Flash. Instructions and tools for removing Flash are here.

More information on the vulnerabilities fixed in this patch is available in the Adobe advisory.

Microsoft Warns of Attacks on Zero-Day IE Bug

November 3, 2010

Microsoft Corp. today warned Internet Explorer users that attackers are exploiting a previously unknown security hole in the browser to install malicious software. The company is urging users who haven’t already done so to upgrade to IE8, which includes technology that makes the vulnerability more difficult to exploit.

According to the advisory Microsoft published, this is a browse-to-a-malicious-site-and-get-owned vulnerability. The company reports that the exploit code was discovered on a single Web site that is no longer online. But if past attacks against unpatched IE flaws are any indicator, it will probably not be long before the attack is stitched into plenty of other hacked and malicious Web sites.

Redmond says Data Execution Prevention (DEP) technology enabled by default in IE8 helps protect against attacks, and that the same protection is enabled on all supported platforms, including Windows XP Service Pack 3, Windows Vista Service Pack 1, Windows Vista Service Pack 2, and Windows 7. IE9 beta apparently is not at risk from this threat.

In a post to its Microsoft Security Response Center blog, the company said that it is working to develop a security update to address this attack against the flaw, but that at the moment it “does not meet the criteria for an out-of-band release.” Microsoft is expected to issue another round of security updates next week as part of its regular “Patch Tuesday” cycle, which generally occurs on the second Tuesday of each month.

Symantec Corp. has posted a fascinating blog entry that details just how targeted the attacks have been so far. It offers a peek at how these types of critical flaws in widely-used applications can be used in pinprick attacks to extract very specific information from targeted organizations and individuals. From that post:

“One such case started few days ago when we received information about a possible exploitation using older versions of Internet Explorer as targets. Hackers had sent emails to a select group of individuals within targeted organizations. Within the email the perpetrators added a link to a specific page hosted on an otherwise legitimate website.

….Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations. The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn’t vulnerable or targeted.”

Read more from the Symantec writeup here.

‘Evilgrade’ Gets an Upgrade

November 3, 2010

“Evilgrade,” a toolkit that makes it simple for attackers to install malicious software by exploiting weaknesses in the auto-update feature of many popular software titles, recently received an upgrade of its own and is now capable of hijacking the update process of more than 60 legitimate programs.

Evilgrade’s creator, Francisco Amato of InfoByte Security Research, says that by targeting widely deployed programs that don’t properly implement digital signatures on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be downloading a package designed to compromise the security of their computer.

Software companies should include these signatures in all of their updates, so that a user’s computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with a cryptographic key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. But for whatever reason, many software vendors have overlooked this important security precaution, and have chosen not to sign their updates — or have implemented the signing verification process in a way that can be circumvented.

Among the software products that Amato says EvilGrade can compromise are iTunes, Java, Skype, Winamp — even security applications like Superantispyware, Sunbelt, and Panda Antirootkit (a longer list of vulnerable apps is available in the documentation).

The video above shows how Evilgrade works against even the latest version of Java — Java 6 Update 22.

As the release notes state, this tool is a cross-platform attack suite, meaning that it can be used to attack not only Windows systems, but any vulnerable update mechanism: The attacker need only supply platform-specific payloads designed to run on the targeted user’s operating system.

Continue reading